other versions
- wheezy 0.8.0-4+b1
OSCAP(8) | System Administration Utilities | OSCAP(8) |
NAME¶
oscap - OpenSCAP command line toolSYNOPSIS¶
oscap [general-options] module operation [operation-options-and-arguments]DESCRIPTION¶
oscap is Security Content Automation Protocol (SCAP) toolkit based on OpenSCAP library. It provides various functions for different SCAP specifications(modules).GENERAL OPTIONS¶
- -V, --version
- SCAP specification supported by the module.
- -q, --quiet
- No output for certain operations, only return code.
- -h, --help
- Help screen.
MODULES¶
- oval
- Open Vulnerability and Assessment Language.
- xccdf
- The eXtensible Configuration Checklist Description Format.
- cpe
- Common Platform Enumeration.
- cvss
- Common Vulnerability Scoring System
OVAL OPERATIONS¶
- collect [options] definitions-file
Probe the system and gather system
characteristics for all objects in OVAL Definition file.
- --id OBJECT-ID
- Collect system characteristics ONLY for specified OVAL Object.
- --variables FILE
- Provide external variables expected by OVAL Definitions.
- --syschar FILE
- Write OVAL System Characteristic into file
- --skip-valid
- Do not validate input/output files.
- eval [options] definitions-file
Probe the system and evaluate all definitions
from OVAL Definition file. Print result of each definition to standard output.
oscap returns 0 if all definitions pass. If there is an error during
evaluation, the return code is 1. If there is at least one failed result
definition, oscap-scan finishes with return code 2.
- --id DEFINITION-ID
- Evaluate ONLY specified OVAL Definition.
- --variables FILE
- Provide external variables expected by OVAL Definitions.
- --directives FILE
- Use OVAL Directives content to specify desired results content.
- --results FILE
- Write OVAL Results into file.
- --report FILE
- Create human readable (HTML) report from OVAL Results.
- --skip-valid
- Do not validate input/output files.
- analyse [options] --results FILE definitions-file syschar-file
In this mode, the oscap tool does not perform
data collection on the local system, but relies upon the input file, which may
have been generated on another system. The output (OVAL Results) is printed to
file specified by --results parameter
- --variables FILE
- Provide external variables expected by OVAL Definitions.
- --directives FILE
- Use OVAL Directives content to specify desired results content.
- --skip-valid
- Do not validate input/output files.
- validate-xml [options] definitions-file
Validate given OVAL file against a XML schema.
Every found error is printed to the standard output. Return code is 0 if
validation succeeds, 1 if validation could not be performed due to some error,
2 if the OVAL document is not valid.
- --definitions, --variables, --syschar, --results --directives
- Specify whether the validated document is an OVAL Definitions file, external OVAL Variables, OVAL System Characteristics file, OVAL Results file or OVAL Directives file. Default: definitions.
- --schematron
- Turn on Schematron-based validation. It is able to find more errors and inconsistencies but is much slower.
- generate <submodule> [submodule-specific-options]
Generate another document form an OVAL file.
- Available submodules:
- report [options] oval-results-file
Generate a formatted HTML page containing
visualisation of an OVAL results file. Unless the --output option is specified
it will be written to the standard output.
- --output FILE
- Write the report to this file instead of standard output.
- list-probes [options]
List supported object types (i.e. probes)
- --static
- List all probes defined in the internal tables.
- --dynamic
- List all probes supported on the current system (this is default behavior).
- --verbose
- Be verbose.
XCCDF OPERATIONS¶
- eval [options] xccdf-file [oval-definitions-files]
Perform evaluation driven by XCCDF file and
use OVAL as checking engine. Print result of each rule to standard output.
oscap returns 0 if all rules pass. If there is an error during evaluation, the
return code is 1. If there is at least one failed rule, oscap-scan finishes
with return code 2.
You may specify all required OVAL Definition files as last parameters. If you
don't do that, oscap tool will try to load all OVAL Definition files
referenced from XCCDF automaticaly(search in the same path as XCCDF).
- --profile PROFILE
Select a particular profile from XCCDF
document.
- --results FILE
Write XCCDF results into file.
- --report FILE
Write HTML report into file. You also have to
specify --result for this feature to work.
- --oval-results
Generate OVAL Result file for each OVAL
session used for evaluation. File with name '
original-oval-definitions-filename.result.xml' will be generated for
each referenced OVAL file. This option (with conjunction with the
--report option) also enables inclusion of additional OVAL information
in the XCCDF report.
- --export-variables
Generate OVAL Variables documents which
contain external variables' values that were provided to the OVAL checking
engine during evaluation. The filename format is '
original-oval-definitions-filename-
session-index.variables-variables-index.xml'.
- --skip-valid
Do not validate input/output files.
- resolve -o output-file xccdf-file
Resolve an XCCDF file as described in the
XCCDF specification. It will flatten inheritance hierarchy of XCCDF profiles,
groups, rules, and values. Result is another XCCDF document, which will be
written to output-file.
- --force
- Force resolving XCCDF document even if it is already marked as resolved.
- validate-xml [options] xccdf-file
Validate given XCCDF file against a XML
schema. Every found error is printed to the standard output. Return code is 0
if validation succeeds, 1 if validation could not be performed due to some
error, 2 if the XCCDF document is not valid.
- export-oval-variables [options] xccdf-file [oval-definitions-files]
Collect all the XCCDF values that would be
used by OVAL during evaluation of a certain profile and export them as OVAL
external-variables document(s). The filename format is '
original-oval-definitions-filename-
session-index.variables-variables-index.xml'.
- --profile PROFILE
Select a particular profile from XCCDF
document.
- generate [options] <submodule> [submodule-specific-options]
Generate another document form an XCCDF file
such as security guide or result report.
- --profile ID
- Apply profile with given ID to the Benchmark before further processing takes place.
- --format FMT
- Specify output format. This option applies only on document generators (i.e. guide, report). Avalable formats: html (default), docbook.
- Available submodules:
- guide [options] xccdf-file
Generate a formatted document containing a
security guide from a XCCDF Benchmark. Unless the --output option is specified
it will be written to the standard output. Without profile being set only
groups (not rules) will be included in the output.
- --output FILE
- Write the guide to this file instead of standard output.
- --hide-profile-info
- Information on chosen profile (e.g. rules selected by the profile) will be excluded from the document.
- report [options] xccdf-file
Generate a document containing results of a
XCCDF Benchmark execution. Unless the --output option is specified it will be
written to the standard output. ID of the TestResult element to visualise
defaults to the most recent result (according to the end-time attribute).
- --output FILE
- Write the report to this file instead of standard output.
- --result-id ID
- ID of the XCCDF TestResult from which the report will be generated.
- --show what
- Specify what result types shall be displayed in the result report. The default is to show everything except for rules with results notselected and notapplicable. The what part is a comma-separated list of result types to display in addition to the default. If result type is prefixed by a dash '-', it will be excluded from the results. If what is prefixed by an equality sign '=', a following list specifies exactly what rule types to include in the report. Result types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, fail.
- --oval-template template-string
- To use the ability to include additional information from OVAL in xccdf result file, a template which will be used to obtain OVAL result file names has to be specified. The template can be either a filename or a string containing wildcard character (percent sign '%'). Wildcard will be replaced by the original OVAL definition file name as referenced from the XCCDF file. This way it is possible to obtain OVAL information even from XCCDF documents referencing several OVAL files. To use this option with results from an XCCDF evaluation, specify %.result.xml as a OVAL file name template.
- fix [options] xccdf-file
Generate a script that shall bring the system
to a state of compliance with given XCCDF Benchmark.
- --output FILE
- Write the report to this file instead of standard output.
- --result-id ID
- With this option the script generating engine will pick rules that failed for given test and generate fixes only for them.
- --template ID|FILE
- Template to be used to generate the script. If it contains a dot '.' it is interpreted as a location of a file with the template definition. Otherwise it identifies a template from standard set which currently includes: bash (default if no --template switch present). Brief explanation of the process of writing your own templates is in the XSL file xsl/fix.xsl in the openscap data directory. You can also take a look at the default template xsl/fixtpl-bash.xml.
CPE OPERATIONS¶
- check name
Check whether name is in correct CPE
format.
match name dictionary.xml
Find an exact match of CPE name in the
dictionary.
CVSS OPERATIONS¶
- score cvss_vector
Calculate score from a CVSS vector. Prints
base score for base CVSS vector, base and temporal score for temporal CVSS
vector, base and temporal and environmental score for environmental CVSS
vector.
- describe cvss_vector
Describe individual components of a CVSS
vector in a human-readable format and print partial scores.
- CVSS vector consists of several slash-separated components specified as key-value pairs. Each key can be specified at most once. Valid CVSS vector has to contain at least base CVSS metrics, i.e. AV, AC, AU, C, I, and A. Following table summarizes the components and possible values (second column is metric category: B for base, T for temporal, E for environmental):
AV:[L|A|N] B Access vector: Local, Adjacent network, Network
AC:[H|M|L] B Access complexity: High, Medium, Low
AU:[M|S|N] B Required authentication: Multiple instances, Single instance, None
C:[N|P|C] B Confidentiality impact: None, Partial, Complete
I:[N|P|C] B Integrity impact: None, Partial, Complete
A:[N|P|C] B Availability impact: None, Partial, Complete
E:[ND|U|POC|F|H] T Exploitability: Not Defined, Unproven, Proof of Concept,
Functional, High
RL:[ND|OF|TF|W|U] T Remediation Level: Not Defined, Official Fix, Temporary Fix,
Workaround, Unavailable
RC:[ND|UC|UR|C] T Report Confidence: Not Defined, Unconfirmed, Uncorroborated,
Confirmed
CDP:[ND|N|L|LM|MH|H] E Collateral Damage Potential: Not Defined, None, Low,
Low-Medium, Medium-High, High
TD:[ND|N|L|M|H] E Target Distribution: Not Defined, None, Low, Medium, High
CR:[ND|L|M|H] E Confidentiality requirement: Not Defined, Low, Medium, High
IR:[ND|L|M|H] E Integrity requirement: Not Defined, Low, Medium, High
AR:[ND|L|M|H] E Availability requirement: Not Defined, Low, Medium, High
CONTENT¶
- National Vulnerability Database - http://web.nvd.nist.gov/view/ncp/repository
- Red Hat content repository - http://www.redhat.com/security/data/oval/
-
AUTHOR¶
Peter Vrabec <pvrabec@redhat.com>Jun 2010 | Red Hat |